Policy | Security | Investigation

laptop

March 20, 2010

If an enterprise is not archiving e-mail in a systematic way, e-discovery can be a headache when a lawsuit it filed. This lesson applies just as much to a plaintiff (the one who initiates a lawsuit) as to a defendant (the party against whom the lawsuit is filed). A case in point is The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., No. 05 Civ. 9016 (SAS), 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010). In this case, several institutional investors (the “plaintiffs,” which included a university pension fund) sued hedge fund managers (the “defendants,” which included a subsidiary of Bank of America) to recover $550 million in investment losses.

In a lawsuit, e-discovery is a two-way street. The plaintiff can demand that defendant turn over its email, and the defendant can demand that the plaintiff turn over its email. So in this case the defendants said, “Plaintiffs, you have drug us into court regarding these investments. We demand to see your email concerning these investments.”

The plaintiffs had been haphazard in retaining email. In practice, the essence of their policy (which, largely, was not in writing) was to retain much of their email for short periods of time – a few weeks, maybe a few months, maybe a year . . . it all varied because the plaintiffs had no systematic policy for archiving email. Different employees made different decisions about keeping e-mail. But the general practice was to destroy rather quickly.

The judge said that at the time the plaintiffs started to prepare for the lawsuit (2003-2004), they should have instituted a “litigation hold” on all relevant email, wherever it may be, whether on servers, laptops or even backup tapes if the email was stored only in backup. The judge’s reasoning was that if the plaintiffs think they are going to be in a lawsuit, then they need to preserve the evidence related to the topic of the lawsuit. They should not let the evidence be destroyed; they should allow emails to be erased.

Analysis: The reality is that in any enterprise (public sector or private sector) a litigation hold is VERY HARD to implement in practice. A litigation hold requires real work, diligence, expertise and forethought to find, evaluate and preserve all the relevant email (the relevant email can be voluminous, involving, in a case like this, maybe thousands of messages). The plaintiffs did not institute a good litigation hold at the right time, and therefore the court believed important emails were deleted and relevant evidence had been lost.

Result: Because the plaintiffs did not do what they should have done, the court ruled the defendants were entitled to a remedy in the form of a so-called “negative inference.” When a party like a defendant is awarded a “negative inference,” it gets a strategic advantage in the lawsuit. The strategic advantage means it will be easier for the party (the defendant) ultimately to win the lawsuit. [Technical detail: The negative inference in this case was that the jury would be told that plaintiffs possessed relevant email evidence, but lost it, and the evidence is more likely to have supported the defendants’ side of the case.]

The court also ruled that plaintiffs must pay some of the defendant’s attorney and expert fees/costs related to e-discovery. Ouch. That ruling is expensive for the plaintiffs.

Lesson: Litigation is hard to predict. But for many enterprises, they know that eventually they will be involved in lawsuits of one nature or another, and they will be expected to have instituted a litigation hold to preserve email. Knowing precisely when and how to institute the litigation hold is, in practice, very hard.

Courts like the one in this case are becoming progressively more demanding in their standards for litigation hold on email.

Thus, a haphazard policy on email retention, which generally includes short retention periods (such as 90 days and the like), can come back to haunt an enterprise like the university pension fund in this case. As a practical matter, the risk of this problem can be mitigated by adopting a policy to archive the emails of important people – like investment analysts and decision makers -- for numerous years (e.g., seven years).

--Benjamin Wright

In collaboration with Netmail, Mr. Wright leads on-site workshops for the development of electronic records policy in mid-to-larger sized enterprises.

December 30, 2009

Electronic discovery (EDD*) and the destruction of digital evidence are global issues, affecting more than just North America. Throughout the world, electronic records are ubiquitous, and mushrooming in volume. Any law enforcement investigation in the world – whether a lawsuit, a tax audit, a police inquiry, an arbitration proceeding, a legislative hearing, an administrative probe or a government inspection – is likely today to seek access to electronic records (email, databases, flash drives, text messages, facebook posts, youtube videos, digital photographs, laptop hard drives, and more).

Naturally, to thwart an investigation, an unscrupulous holder of e-records (ESI) wants to destroy them. In the US, we call that destruction “spoliation” or “obstruction of justice.” Other jurisdictions may use different words for unlawful destruction of evidence, but the general concept of law must be universal. If law enforcement is to function, it must forbid and punish wrongful destruction of electronic evidence.

Many of the leading cases punishing the destruction of computer evidence are American, and to a lesser extent Canadian. But cases are emerging in other countries. . . .
One such case before the Singapore High Court is K Solutions Pte Ltd v. National University of Singapore [2009] SGHC 143. This lawsuit was a contract dispute involving IT services provided by K Solutions (KS) to a university. Under the rules of discovery in the lawsuit, the university sought from KS certain email records, in addition to audio recordings of meetings between KS and university staff.

The court noted that Singapore rules of procedure (Order 24 rule 16(1) of the Rules of Court) require a litigant like KS to disclose relevant records to its adversary, the university. Evidence in this case showed that KS had possessed numerous relevant electronic mail records and audio recordings, which it had not released to the university. Although KS explained that some email records had been destroyed innocently under its policy of retaining e-mail only six months, the court was suspicious. The court believed KS’s email destruction policy should have been suspended because KS knew that litigation was likely. (In other words, using American parlance, KS should have applied a “litigation hold” on the email.)

The court observed that although the rules of procedure do not explicitly forbid a party from destroying records, the rules imply that records should be preserved when litigation is pending or anticipated and that wrongful destruction should be punished.

As the court considered KS’s deletion of email, it noted that KS, during the course of the lawsuit, had also been evasive and untruthful about its records. The court levied severe sanctions against KS, effectively granting judgment against it in favor of the university.

Analysis: From the perspective of any enterprise such as a business, law punishing the destruction of evidence is dangerous. Digital records are destroyed constantly, in the ordinary course of operations. But the law may punish destruction if a legal authority concludes the destruction should have been avoided. In any investigation the authority looks backwards and second-guesses what the defendant did in the past. Retrospection is always how investigations like lawsuits or tax appraisals work. With the benefit of hindsight, an action (or omission) of records management that seemed innocent to the defendant at the time can appear sinister later. All enterprises (US and non-US) therefore need margin for error. The law gives them incentive to be more generous in retaining computer records, especially electronic mail. And the law gives incentive to keep email of important people much longer than six months.

–Benjamin Wright

Mr. Wright serves as a public speaker on e-discovery, e-records management and IT security law. He speaks to professionals groups like Institute of Internal Auditors and SANS Institute.

*What is EDD? Electronic Data Discovery is a relatively new legal term of art. It refers to the process of finding, managing and disclosing electronic records (whether on a tape, a PC, an iPod, a cell phone or whatever device) as required in a lawsuit or legal investigation, such as a regulatory audit.

November 04, 2008

Just as legislatures should stay away from writing technical data security specifications, regulatory authorities should shy away too. An example of an unhelpful technical regulation comes from the well-meaning Massachusetts Office of Consumer Affairs and Business Regulation. It published regulations on the protection of personal information, 201 CMR 17.00. Section 17.04(5) requires "encryption" of personally identifiable data on laptops and iPads.

But 17.02 defines "encrypted," as "the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key . . . " Hmm. So under this regulation what does the word "encryption" mean in practice?

"Encryption" seems to include the transformation of data by some means that is at least as good as an algorithm. But which algorithm? The regulation does not really say. Some algorithms are very easy to break. Others are less easy. Few if any commercially useful algorithms are impossible to break.

Would it be reasonable to interpret the 17.02 to allow processes that are easy to break? Maybe not. 17.02 requires the process to transform data “into a form in which meaning cannot be assigned without the use of a confidential process or key”. An easily breakable algorithm does not satisfy the cannot requirement.

OK. So it seems 17.02 excludes an easily breakable algorithm. Next question: What about a algorithm that is hard to break, but not literally impossible to break? Many reasonably good algorithms can eventually be broken if (for example) enough brute force computing power is applied for a long period of time. But if 17.02's word cannot is read literally, then the hard-to-break algorithm would be excluded too. But such a literal reading of the regulation would seem unreasonable because few if any commercially available algorithms are literally impossible to break forever.

Hence, it seems 17.02 requires hard-to-break encryption – but not impossible to break encryption – anytime private data are stored on a laptop. [If in fact that is what the drafters of the regulation mean, then why don’t they explicitly say that?]

So now that we think we better understand the regulation, let’s think more about the technology of encryption. Smart people are constantly seeking spectacular new ways to break good encryption. And every so often they succeed. For example, Wired Equivalent Privacy or WEP encryption was broken a few years after it came into wide use.

Given that strong encryption is proven from time to time to be weak, encryption users have to upgrade their technology every so often. When they hear that their current encryption has been broken, they shift to something else. Section 17.02 could reasonably be read to require this upgrading process.

Assuming 17.02 does require periodic upgrading, please consider this scenario: A Massachusetts government agency stores private data on numerous laptops. To comply with 2001 CMR 17.00, the agency implements encryption method X to protect the data. At the time of implementation, method X has a reputation for being good.

As time passes, a lawsuit arises, and the data on the laptops might be relevant to the lawsuit. The agency therefore implements a litigation hold on the data on the laptops, so as to avoid destroying any evidence while the lawsuit is pending.

A lawsuit can take years to conclude. During the pendency of this lawsuit, let's say the agency de-commissions the laptops. Its employees no longer use the laptops. But the agency cannot destroy the data on the laptops on account of the litigation hold. So it stores the laptops in a well-secured warehouse.

More time passes. It becomes widely known in the encryption community that method X is lousy (like WEP); it is breakable. Must the agency now go to the expense of upgrading the encryption on the de-commissioned, physically-secure laptops? Massachusetts regulation 201 CMR 17.00 seems to require such a (senseless) upgrade, for the regulation seems inflexible. The regulation fails to provide discretion to users.

Lesson: Better-written laws just set goals, and let users apply all the methods at their disposal to reach those goals. Unlike 201 CRM 17.00, better laws avoid specifying particular technologies for advancing civil rights like privacy.

Update: Reacting to public criticism, Massachusetts has revised proposed 201 CMR 17.00 many times since first publication. Last I heard, the effective date of the latest version of the regulation is March 1, 2010.

August 05, 2008

Data Breach Notice to Employees and Dependents

Compromise of Password-Protected Computer Lost in Burglary

Anheuser-Busch notified thousands of employees that their personal data, and the data of their dependents, may theoretically be at risk of identity theft. The data were on a password-protected laptop, and the data were encrypted.

The case comes to light because one of the states involved, New Hampshire, requires notice be sent both to affected individuals and to the state attorney general, who publishes the notices on the web. New Hampshire’s law does not require notice if data were encrypted. AB says the data were encrypted. It also says it has no information suggesting the burglars are attempting identity theft. So why did it give notice?

My guess is that the company was motivated more by the politics of the situation than a strict reading of the law.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.